Privacy Best Practices for Deployment of RFID Technology

November 30, 2008

Introduction

Creative applications of radio frequency identification (“RFID”) technologies hold promise for consumers, businesses and government. They suggest possibilities for reducing costs through better inventory management, for improving the safety of the drug supply, for aiding in the care of the elderly and impaired, for reducing error rates in hospitals and for improved tracking of luggage and cargo at airports to improve security and passenger service, among other applications.

There are many possible applications of RFID that do not pose major privacy concerns. But to the extent that RFID devices can be linked to personally identifiable information (“PII”), including where such devices facilitate the tracking of an individual’s location, RFID raises important privacy questions. While this document is primarily intended to address these privacy implications, particularly with respect to control of PII, its goal is also to increase transparency about the use of RFID technology involving consumers.

What is RFID?

RFID refers to a technology that uses radio waves to identify an object. An RFID system typically includes three elements: a tag, a reader, and a database.

An RFID tag or transponder comprises a chip that contains a unique number that identifies an object (and perhaps other information) and is connected to an antenna. Each antenna enables the chip to communicate via radio waves to a reader, which captures the unique number or other data on the tag. That data can then be transmitted to computers that store information about the object to which the tags are attached. In most instances, the protocol for communication between the reader and tag enables a fixed set of commands; tags typically do not have the capacity to upload and execute additional software programs.

RFID Tags

The simplest RFID tags are “passive” and as such do not carry their own power supply to enable data transmission. Passive tags receive their power from the electromagnetic waves emitted by readers that induce a current in the tags, thereby enabling the transmission of the information stored on the tags. Other tags are “active” and do contain some form of power supply allowing the broadcast of information to the reader. Active tags are often able to transmit over a much longer range than passive tags – typically 100 feet or more. In comparison, passive tags have ranges that are minimal, in the range of several yards or less. There are even RFID tags designed to have a communication range of a few inches or less.

Both active and passive tags may be “dumb,” without any capability of processing data on board or “smart,” having significant storage capacity that can support possible data security measures such as encryption, or including sensors for measuring conditions such as pressure or heat.

Readers and Read Range

RFID readers interrogate RFID chips to receive the identification number and other data. Readers interact with chips using varying radio frequencies. Low frequency readers and tags are less expensive than ultra high frequency readers and tags, use less power and penetrate non-metallic substances better. On the other hand, ultra high frequency tags can be read at a greater range from readers and can transfer data faster than their lower frequency counterparts. Both high and low frequency RFID systems have certain advantages over the more traditional bar code systems in that they can read objects within their range without line of sight access and can also read multiple objects at the same time, unlike the individual object scanning required by the bar codes systems.

Read range refers to the maximum distance an RFID chip can be accessed by a reader. Read ranges can vary widely: while some systems may have a read range of 100 feet, others may have a read range of only one or two inches. The read range designed into a particular RFID system is selected to serve the requirements of a specific application. In some cases, the desired read range is long, as in the case of inventory control or inventory tracking. In other situations, only an extremely short read range is necessary, and may in fact be preferable for security reasons.

Data and RFID Systems Networks

Finally, data may be transmitted over a network from the readers to business process applications, and to databases where information about the identified objects is stored. The security of these networks is critical to the security of the overall RFID system. Depending on the sensitivity of the data within an RFID system, the data may be encrypted and include other security measures.[1]

The family of RFID technologies contains many sub-groupings with unique attributes and abilities that depend upon the various capabilities of the components of the technology, including the sophistication of the circuitry in the tags, the levels and sources of power involved, the communication protocols linking the tags and the readers, and the distance required between tags and readers for effective communication. Because different standards have developed for the varying uses of the tags, not every reader can read every tag.

Broadly speaking, RFID technology can be used for four general purposes: 1) to keep track of objects, 2) to keep track of people, 3) to provide services, or 4) as an internal component of a product or device.[2] Technical differences in the technology are reflected in its different applications.[3]

RFID and Privacy

RFID technology raises privacy concerns when its use enables parties to obtain personally identifiable information, including location information, about particular individuals that those parties otherwise would be unable or unauthorized to obtain. This information may be a person’s location; it may be that the person has a certain product in his or her possession; it may be that the person has used a particular service. Security concerns arise if unauthorized parties are able to obtain such information either from interception of the radio communications between tags and readers, through unauthorized reading of the tags, or via unauthorized access to the network or the database.

Detailed analysis of privacy and security issues in the context of these new technologies is clearly called for. Three general principles emerge from this analysis that can be applied to help address concerns about privacy in existing and new applications of RFID: the principle of technology neutrality; the principle of privacy and security as fundamental design requirements; and the principle of transparency.

Technology Neutrality: RFID technology in and of itself does not impose threats to privacy. Rather privacy breaches occur when RFID, like any technology, is deployed in a way that is not consistent with responsible information management practices that foster sound privacy protection.

Privacy and Security as Primary Design Requirements: Users of RFID technology should address the privacy and security issues as part of its initial design. Rather than retrofitting RFID systems to respond to privacy and security issues, it is much preferable that privacy and security should be designed in from the beginning.

Consumer Transparency: There should be no secret RFID tags or readers. Use of RFID technology should be as transparent as possible, and consumers should know about the implementation and use of any RFID technology (including tags, readers and storage of PII) as they engage in any transaction that utilizes an RFID system. At the same time, it is important to recognize that notice alone does not mitigate all concerns about privacy. Notice alone does not, for example, justify any inappropriate data collection or sharing, and/or the failure to deploy appropriate security measures. Notice must be supplemented by thoughtful, robust implementation of responsible information practices.

The Purpose of these Guidelines

Representatives from various consumer groups and commercial enterprises developed these guidelines under the leadership of the Center for Democracy and Technology (“CDT”) in an effort to address current privacy concerns, as well as to limit future concerns regarding the deployment of RFID technology. This document is the result of an extensive analysis of current and near-term applications of RFID, the ways in which those applications do or do not implicate privacy, and the manner in which companies can address them. These guidelines have been designed at the principles level in consideration of the wide variety and versatility of current RFID systems, the breadth of applications, and the speed at which the technology is developing. This document is intended to provide guidance for policymakers, developers and users about privacy in the context of RFID technology.

To focus their discussions, the participants in this effort used the framework of fair information practices as articulated in the Organization for Economic Cooperation and Development’s Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data (“OECD Guidelines”). While this framework proved helpful to relate RFID technology to specific issues regarding electronic data flows, it became evident to the participants that many of the privacy issues related to RFID are common to any system of information collection and storage, while in other cases RFID does raise its own novel challenges. Thus, this document does not reflect a point-by-point application of the OECD Guidelines, but rather focuses on specific challenges posed by RFID technology when applying certain aspects of fair information practices in the areas of notice, choice and consent, onward transfers, access and security.

These guidelines are designed to be sufficiently flexible so as to apply across a range of industry sectors. Their success will depend upon companies making sound decisions about how they are best implemented and maintained. We expect that some companies may, for example, provide notice in a way that differs markedly from the way in which others do, based upon the nature of a given RFID application, the company’s business model, and the environment in which both are deployed. Thus, a retailer may provide notice in a manner different from the way in which a home health care system provider provides notice. It should also be noted that this document assumes that companies deploying RFID will comply with existing laws and regulations related to information collection and sharing.

This document is targeted at commercial and private sector consumer applications. It is not intended to address government applications of RFID or applications of RFID deployed internally by companies in the employer-employee context, business-to-business applications, or uses of RFID for personal identification systems.

The participants in this initiative are keenly aware that this guidance may need to be revisited as RFID technology continues to develop and as more is learned about its impact on privacy. For example, one issue that garners significant attention is whether and to what extent RFID practically could be used to track an individual’s location. Issues such as location tracking, as well as others, will warrant reconsideration as the technology evolves and new applications emerge. As RFID technology and applications are developing rapidly, the drafters intend to review and refine the guidelines as the private sector gains experience in their implementation.

Finally, the purpose of this activity has been to attempt to define best practices. The process has involved extensive discussion about both principles and practicalities that entailed healthy give and take among parties representing widely different perspectives. Thus, while not every participant necessarily supports every recommendation, the final product represents a collective judgment that these guidelines should provide a workable set of practices that allow for realization of the potential benefits of RFID without undermining the privacy of consumers.

These guidelines are not designed as a blueprint for legislation. The participants in the drafting process believe that widespread and voluntary adoption of these guidelines, combined with a major effort at consumer education, would dramatically improve the environment for the use of RFID.

Best Practices

Notice

Consumers should be provided with clear, conspicuous and concise notice when information, including location information, is collected through an RFID system and linked, or is intended by a commercial entity to become linked, to an individual’s personal information either on the RFID tag itself or through a database. (For purposes of this document, this information shall be referred to as “linked information.”)

In either of these situations, the notice should specify:

the presence of RFID involving linked information;

the purposes for which the linked information is being collected;

how linked information will be used;

whether the linked information is used solely to enable the functioning of the device the consumer has purchased or delivery of the service for which the consumer has contracted, or to facilitate completion of the commercial business’s transaction with the consumer;

whether the linked information may be used for additional or subsequent uses, such as marketing;

that if the linked information is to be used for such additional or subsequent uses, it will be used only consistent with the consumer’s choice; and

whether the RFID tag can be removed or deactivated.

Whenever practicable, notice of the use of the RFID system to collect linked information should be provided prior to the completion of the transaction through which the good or service is obtained. In cases where there is no good or service obtained, then notice should be provided prior to the association of PII with information collected through the RFID system.

Responsibility for providing notice lies with the company having the direct relationship with the consumer.[4]

When the information on the RFID tag, such as the tag number, is not directly associated with an identified individual, in order to create a link between the information on the RFID tag and an identified individual it is usually necessary to access a series of databases or other information repositories.[5] It is the responsibility of the commercial entities involved in the deployment of RFID systems to exercise judicious discretion in determining whether the degree of linkage is sufficiently close so as to consider the information collected to be linked information.

In general, commercial entities should consider the likelihood of the linkage between PII and/or location information and the RFID identification number in determining whether notice is necessary. In making this determination, a company should give good faith consideration to the following:

The likelihood of a single individual or entity having access to all elements of information and databases necessary to effect the linkage;

The number of elements of information required to effect the linkage;

The security measures surrounding the information;

Legal protections or safeguards applicable to accessing or using the information; and

The sensitivity of the information linked to the RFID data.

As the attenuation between the PII and RFID identification number becomes greater, the risk to privacy arguably decreases, and the requirement for notice becomes increasingly subject to discretion.

Consumers should be notified when entering a commercial or public environment where RFID technology is in use. Wherever practicable, individual RFID readers should be identified as such.

Companies should engage in annual internal assessments to confirm that the posted notices accurately reflect their information practices related to RFID systems.

Companies deploying RFID technology are strongly encouraged to participate in consumer education efforts that provide background and context to consumers regarding PII collection enabled by RFID, and to raise public awareness of the technology and its benefits.

Choice and Consent

Choice pertains to the use of the RFID technology, and to the uses of linked information collected on the RFID tag or associated with the RFID number.

Consistent with the guidelines for notice, consumers should be clearly notified when there is an opportunity to exercise choice with respect to the use of the RFID technology or with respect to the use of linked information collected on the RFID tag or associated with the RFID number.

Consumers should be offered such choice before the conclusion of the transaction to obtain a good or service, wherever practicable, so that, when coupled with robust notice, consumers are given the tools to effectively exercise their choice with respect to the use of RFID technology.

Consumer choice about the use of the RFID technology

The consumer should be informed in a clear, conspicuous and concise manner when there is an option to remove, de-activate, or destroy a tag and, when there is, how that option may be exercised.

In such instances, the option to remove, de-activate or destroy an RFID tag must be readily available to the consumer and readily exercised.

By exercising choice to remove, de-activate or destroy a tag, the consumer’s ability to return an item, benefit from a warranty, or benefit from the protections of local law should not be compromised. Exercising this choice should not result in any damage or defect to a product.

Choice and consent about the uses of PII collected on the tag or associated with the RFID number.

In some cases, linked information is used solely to enable the functioning of the device[6] the consumer has purchased or delivery of the service for which the consumer has contracted, or to facilitate completion of the commercial business’s transaction with the consumer. In such instances, the consumer should be informed of the existence of the RFID tag (consistent with the provision on notice), but the consumer’s consent or choice about the use of PII need not be solicited.

When linked information collected and associated with an RFID number is used for purposes other than to enable the functioning of the device the consumer has purchased or delivery of the service for which the consumer has contracted, or to facilitate completion of the commercial business’s transaction with the consumer (such as marketing or sharing linked information with a third party for some other purpose), the consumer should be so notified and given the opportunity to consent to such uses.

Responsibility for providing choice lies with the company having the direct relationship with the consumer.[7]

Onward Transfer

Wherever practicable, a company collecting PII via the deployment of an RFID system should include in its contracts provisions requiring that the companies with which it shares PII, including its affiliates, subsidiaries and any third party companies, will afford that shared data a level of protection consistent with or greater than that afforded by the company collecting the information.

Access

When PII is maintained on the tag itself, individuals should have reasonable access to that information.

If an individual receives an adverse decision based on linked information[8] about him or herself, that individual should have reasonable access to that information. As a general principle, it is desirable to provide consumers with, if cost effective and efficient, reasonable access to personally identifiable information, including location information, collected using RFID technology.

In the above situations, appropriate access should be provided by the entity interfacing with the individual.

When access is offered it should be easily and readily available to the consumer.

Government access to linked information should be allowed only upon service of process under applicable law.

Security

Companies should exercise reasonable and appropriate efforts to secure RFID tags, readers and, whenever applicable, any corollary linked information from unauthorized reading, logging and tracking, including any network or database transmitting or containing that information and radio transmissions between readers and tags. In addition, companies should exercise reasonable and appropriate efforts to secure the linked information from unauthorized access, loss or tampering.

In so doing, companies should establish and maintain an information security program in keeping with industry standards, appropriate to the amount and sensitivity of the information stored on their system. Such a security program should include processes to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of linked information, and address those risks.

To enhance the security of information that may be transmitted between tags and reader, companies should, to the extent practicable, minimize the information stored on RFID tags themselves.

Notes

[1] For example, many contact-less payment cards employ128-bit and triple DES encryption. In a payment transaction, a contact-less chip generates a unique numeric code. If the code is not detected, the transaction is declined.

[2] Examples of these purposes are plentiful. RFID systems are used to keep track of things in manufacturing inventory warehouses, for example, where deliveries can be recorded automatically by simply moving incoming pallets (with tags embedded) past a reader. The information is then logged into the inventory system. RFID systems keep track of people in hospitals and prisons and, in the future may be used for home health care applications that enable caregivers to monitor the daily habits of the very elderly or infirm in their homes. A familiar and early service application of RFID technology has been in toll-collection tags on highways, which allow motorists with RFID-enabled cards to pay tolls simply by passing through collection plazas. Contact-less payment cards are another service application. Additionally, RFID tags with a unique identifier are now an internal component of automobile keys; when the key is inserted in the lock, it communicates with a reader built into the car’s electrical system.

[3] For example, the chip used to provide electronic bar codes has the capability to manage security via passwords and other safeguards and can be read at a distance of several feet. RFID tags used for contact-less smart cards, on the other hand, typically are designed to support substantial cryptography and to be read at distances of an inch or so; cryptography can be used to protect tags or to secure transmission protocols.

[4] Commercial entities that do not have a direct relationship with consumers but are involved with the deployment and/or use of RFID systems should make good faith efforts to encourage the notification of consumers. A commercial entity incorporating RFID systems within its products should give notice to its direct purchasers of that fact, and to the extent practicable encourage its direct purchaser to give similar notice to their purchasers, and so on, with the objective of enabling the company having the direct relationship with consumers to give proper notice of the use of RFID technology.

The rationale for this provision is that companies not participating in or benefiting from the use of RFID but who receive products containing tags may not know that products they receive contain RFID tags, and will need to have adequate information to participate in providing notice. Use of a well-recognized logo in accordance with corresponding guidelines, such as those followed by EPCglobal association members, would be one way to support this notification.

Where RFID tags in the retail environment function solely as a replacement for barcodes as currently deployed and do not provide enhanced or additional functions, notice may be provided consistent with current practice.

[5] For example, it would arguably require several linkages to correlate the RFID tag in an automobile tire to PII about the car’s owner.

[6] For example, RFID may enable the function of an electronic device.

[7] Commercial entities that do not have a direct relationship with the consumer but are involved with deployment and/or use of the RFID system should make good faith efforts to encourage consumer choice.

A commercial entity which incorporates RFID systems in its products should inform its direct purchasers as to when a system includes RFID to help the purchaser assess whether the consumer should be offered choice and the opportunity to consent, and to the extent practicable encourage its direct purchaser to provide choice to its purchasers, and so on, with the objective of enabling the company having the direct relationship with the consumer to offer appropriate choice to consumers. Use of a well-recognized logo in accordance with corresponding guidelines, such as those followed by EPCglobal association members, is one means to support this notification.

[8] For example, an adverse decision related to the availability of a good or service, or the ability to obtain credit.